Best practices, permissions, etc., on installs.

tallship · May 17, 2013, 01:18:25 AM

I had posted much of this at the now defunct forums over at kbkp when I had a problem, but wanted to go over some of the logic of how our current installation is setup. I think one of my guys went and received some outside help, but there are still some lingering concerns I have, since I'm not sure if everything is working correctly and thought that I might get some pointers here.

For example, auto-upgrade doesn't work, but I can live w/o that if need be, but I just installed the twitter module again for the first time in a year and it doesn't seem to work. It did work back when, but that was another machine. With all the bugs and such I just don't know where to start in determining whether some particular non-functionality is a bug or broken module, or something I can fix by addressing permissions, etc.

If the twitter module isn't broken, then it's something in my configs (hopefully) that I need to address. So this might be a good exercise to determine whether the scripts are running correctly and troubleshooting in general to ensure the health of the system.

As a baseline for the install, I should mention that this install was originally installed by root under /var/www/hostbill, but was moved so that other parties could be provided access for customization of templates, etc. That non-privileged user is 'hostbill', and the dir for the VirtualHost container is /home/hostbill/htdocs.

Any assistance is greatly appreciated, and is perhaps the first real thread requesting community support now that we have our forums online and pretty much dialed in

I'll be pasting from some other posts that were saved in scratch docs.

Okay to start with, here's what config.php looks like post install, following the best practices according to the hostbill wiki:

Code Select


$ cat htdocs/includes/config.php
<?php
/*
* HOSTBILL CONFIGURATION: BASIC SETTINGS:
*/
// Database host / default: localhost
$db_host = 'localhost';

// Database name
$db_name = 'hostbilldatabase';

 // Database username
$db_user = 'hostbilluser';

 // Database password
$db_pass = 'hostbillpassword';

// Please enter here Credit Card Encryption Hash used to encode credit cards details in Database. Use only ASCII letters and digits
$ccEncryptionHash = 'a1b2c3_some_really_long_hash_string_d4e5f6';
// Note, hash above has been automatically generated during installation.
// Please copy it into safe place or use your value.


 /*
  * ADVANCED SETTINGS:
  */

// Additional security settings:  http://wiki.hostbillapp.com/index.ph...ional_security
//Admininstrator folder name, default is admin
// $hb_admin_folder='admin';
 $hb_admin_folder='administrator';

 //Absolute location of templates_c dir - leave false for default
// $hb_templates_c_dir = false;
 $hb_templates_c_dir = "/home/hostbill/hbsecure/templates_c";

 //Absolute location of attachments dir - leave false for default
// $hb_attachments_dir = false;
 $hb_attachments_dir = "/home/hostbill/hbsecure/attachments";

 //Absolute location of downlods dir - leave false for default
// $hb_downloads_dir = false;
 $hb_downloads_dir = "/home/hostbill/hbsecure/downloads";


 // Advanced DB settings:
 //Database Port
$db_port = '3306';
 //Database Engine - mysql is default
$db_engine = 'mysql';
?>

Unfortunately, due to some default limitation on the character count here for each post, I'll have to break this into a few pieces.

tallship · May 17, 2013, 01:20:34 AM

Here's the layout:

Code Select


.
|-- backups
|   |-- db_backups
|   |-- install-20130428
|   `-- install-4.5.4
|-- hbsecure
|   |-- attachments
|   |-- downloads
|   `-- templates_c
|-- htdocs
|   |-- admin              (This appears after each upgrade)
|   |-- attachments    (This appears after each upgrade)
|   |-- downloads      (This appears after each upgrade)
|   |-- hbf
|   |-- includes
|   |-- administration   (This dir is the original renamed 'admin' dir)
|   |-- pics
|   |-- sharing
|   |-- templates
|   `-- templates_c    (This appears after each upgrade)
`-- mail

Following a manual upgrade, I perform the following

Code Select


$ cd ~/htdocs
$ mv -fv admin administration
$ chmod administration/cron.php administration/pipe.php
$ rm -frv attachments downloads templates_c
$ su -
# /etc/rc.d/rc.httpd restart
# exit
$

I have a question about simply deleting the attachments, downloads, and templates_c dirs. Should I be copying them to /home/hostbill/hbsecure instead? Do they change or is there anything I need to concern myself with moving into the originally relocated versions of those directories?

Here's the perms on each directory:

Code Select


$ ls -la htdocs hbsecure htdocs/administrator htdocs/includes
hbsecure:
total 0
drwxr-xr-x 1 hostbill users    62 Apr 28 05:56 ./
drwx--x--x 1 hostbill users   196 May  9 23:12 ../
drwxrwxrwx 1 hostbill users   212 Apr 29 12:13 attachments/
drwxrwxrwx 1 hostbill users    18 Apr 26 08:32 downloads/
drwxrwxrwx 1 hostbill users 22058 May  9 21:19 templates_c/

htdocs:
total 32
drwxr-xr-x 1 hostbill users   320 May  4 06:08 ./
drwx--x--x 1 hostbill users   196 May  9 23:12 ../
-rw-r--r-- 1 hostbill users   226 Apr 29 09:49 .htaccess
drwxr-xr-x 1 hostbill users   160 May  3 05:02 admin/
-rw-r--r-- 1 hostbill users 10819 May 17  2010 ajax-loading.gif
drwxr-xr-x 1 hostbill users    18 May  3 05:02 attachments/
-rw-r--r-- 1 hostbill users   486 Apr 30 09:15 ckrewrite.php
drwxr-xr-x 1 hostbill users    18 May  3 05:02 downloads/
drwxr-xr-x 1 hostbill users    96 May  4 05:34 hbf/
drwxr-xr-x 1 hostbill users   332 May  4 05:34 includes/
-rw-r--r-- 1 hostbill users  3189 Mar 18  2012 index.php
drwxr-xr-x 1 hostbill users   160 May  8 16:30 administrator/
drwxr-xr-x 1 hostbill users    48 May  4 00:18 pics/
drwxr-xr-x 1 hostbill users    52 May  4 05:34 sharing/
drwxr-xr-x 1 hostbill users   220 May  4 05:34 templates/
drwxr-xr-x 1 hostbill users    18 May  3 05:02 templates_c/

htdocs/administrator:
total 32
drwxr-xr-x 1 hostbill users   160 May  8 16:30 ./
drwxr-xr-x 1 hostbill users   320 May  4 06:08 ../
-rw-r--r-- 1 hostbill users 10819 May 17  2010 ajax-loading.gif
-rw-r--r-- 1 hostbill users  1456 May 17  2010 ajax-loading2.gif
-rw-r--r-- 1 hostbill users  3221 Mar 19  2012 api.php
-rwxr-xr-x 1 hostbill users  3493 Aug 24  2012 cron.php*
drwxr-xr-x 1 hostbill users    86 Apr 26 08:32 images/
-rw-r--r-- 1 hostbill users  3651 Apr  4  2012 index.php
-rwxr-xr-x 1 hostbill users  3429 Jun  8  2012 pipe.php*
drwxr-xr-x 1 hostbill users    32 Apr 26 08:32 templates/

htdocs/includes
total 76
drwxr-xr-x 1 hostbill users   332 May  4 05:34 ./
drwxr-xr-x 1 hostbill users   320 May  4 06:08 ../
drwxr-xr-x 1 hostbill users   496 Apr 26 08:32 components/
-r--r--r-- 1 hostbill users  1389 Apr 29 05:25 config.php
-r--r--r-- 1 hostbill users  1389 May  4 05:06 config.php-backup
-rw-r--r-- 1 hostbill users  1049 Aug 28  2012 config.php.example
drwxr-xr-x 1 hostbill users  1532 May  4 05:34 core/
-rw-r--r-- 1 hostbill users 38783 Jul  9  2012 cpupdate.php
drwxr-xr-x 1 hostbill users    38 Apr 26 08:32 extend/
drwxr-xr-x 1 hostbill users  1272 May  4 05:34 fastconfig/
-rw-r--r-- 1 hostbill users  3039 Jul 27  2012 general.php
-rw-r--r-- 1 hostbill users  3655 Dec 21 07:12 hostbill.php
-rw-r--r-- 1 hostbill users  2658 Jul  6  2011 index.php
-rw-r--r-- 1 hostbill users  7517 Mar  2  2011 iso4217.php
drwxr-xr-x 1 hostbill users   640 Apr 26 08:32 libs/
drwxr-xr-x 1 hostbill users    92 Apr 26 08:32 modules/
drwxr-xr-x 1 hostbill users    50 Apr 26 08:32 simplemodules/
drwxr-xr-x 1 hostbill users  1918 May  4 05:34 types/
-rw-r--r-- 1 hostbill users    34 May  3 05:02 version

Unfortunately, due to some default limitation on the character count here for each post, I'll have to break this into a few pieces.

tallship · May 17, 2013, 01:21:30 AM

I'm thinking that the crux of any issues we're experiencing are related to the perms. The desire was to install hostbill so that people could be granted access to manage customizations such as CSS and HTML related tasks, without requiring root access, so a non-priviliged user, 'hostbill' was created.

When the installation was performed by root under /var/www, the default ownership was root:root which seemed to work fine except for auto-upgrade, and I think that might have been enabled had I chown'd everything apache:apache

I don't care whether the installation is by root or a non-privileged user. I prefer a non-privileged user, however, which enables us to permit access for graphics and web development by others.

You thoughts, comments, recommendations?

Thanks!

Lawrence · May 17, 2013, 01:32:03 AM

First and foremost, character count in posts increased from 5,000 to 25,000. Sorry about that!

Secondly, I've enabled the twitter module in a default install, and on my website. It seems like it is indeed an issue with HostBill and should qualify as a bug. A colleague of mine also tried enabling it. It's enabled, and Twitter is nowhere to be found.

The Twitter module is broken, so it's not just you. Just tested in 3 different environments, all different file permissions, and all different versions starting from the latest branch series through current.

tallship · May 17, 2013, 01:37:59 AM

Thanks Lawrence, on both of those accounts

I haven't noticed any issues as of yet, but do you see any problems with my non-privileged user methodology or potential pitfalls for the perms I'm using?

Oh, and is it okay to just delete those three duplicate dirs as I've been doing above, or do you think I should be copying them or at least any potential diffs into the secured dirs outside of my DocumentRoot.

Thanks again!

Lawrence · May 17, 2013, 02:03:38 AM

1. Your file structure is perfect, your insecure directories are private and hidden from prying eyes. Don't change that!

2. You could create a bash script that does the following. I'm gonna update some of your code. (If you've already created a bash script, great!)

Code Select


$ cd ~/htdocs
$ rm -rf admin (To wipe out files deleted from the older admin area)
$ mv admin administration (Simply renames the folder)
$ chmod 755 administration/cron.php administration/pipe.php
$ rm -frv attachments downloads templates_c
$

3. You should be fine with just deleting the attachments, downloads, and templates_c folders. Unless the index.php file in there has changed, no need to worry. Besides, that's just there really to hide the contents when someone browses that folder.

4. Your chmod permissions for the most part are flawless. The only issue (Which really isn't an issue) is the full access of the attachments, templates_c, and downloads folder. Those are in a private secure directory, so that's all good. As long as you don't permit anything other than zipped files and images in there, you're golden.

5. If you're not utilizing Ticket Sharing, then you should consider adding that to your list of deleted files. I don't think it's a security risk, but it assists in other portals connecting to yours, which is in a sense a security risk. Deleting this file won't have any affect on your HostBill install. To play it safe, you could always just tar it before deleting it, then untar if you experience any issues.

6. There's no need to restart the http server, but if that's your preference it wouldn't hurt either. The only difference is you're probably getting 1-2 seconds of downtime each reload. Nothing drastic!

Enterprisevpssolutions · May 17, 2013, 02:39:37 AM

I have my twitter module working fine https://enterprisevpssolutions.com/evdsportal/ It posts new updates when i make them. If you are running cpanel and suphp you would want all the files owned by the user you can use this script to fix that for one account or all of them http://boomshadow.net/tech/fixes/fixperms-script/

tallship · May 17, 2013, 08:04:16 AM

Lawrence,

Thanks for the invaluable help. I originally didn't have any issue with the initial install but then following an update received cron errors. I tried posting for help in the kbkp forums but they were too consumed at that time with threads concerning disgruntled users to attract any attention.

I told one of my guys to take a look, and go out and find support elsewhere. We found a fix for those errors by changing session.save_path to point to /tmp instead of /var/lib/php in /etc/httpd/php.ini as shown in the last line of my actual file below:

Code Select


[Session]
; Handler used to store/retrieve data.
; http://php.net/session.save-handler
session.save_handler = files

; Argument passed to save_handler.  In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP's session functions.
;
; The path can be defined as:
;
;     session.save_path = "N;/path"
;
; where N is an integer.  Instead of storing all the session files in
; /path, what this will do is use subdirectories N-levels deep, and
; store the session data in those directories.  This is useful if you
; or your OS have problems with lots of files in one directory, and is
; a more efficient layout for servers that handle lots of sessions.
;
; NOTE 1: PHP will not create this directory structure automatically.
;         You can use the script in the ext/session dir for that purpose.
; NOTE 2: See the section on garbage collection below if you choose to
;         use subdirectories for session storage
;
; The file storage module creates files using mode 600 by default.
; You can change that by using
;
;     session.save_path = "N;MODE;/path"
;
; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
; http://php.net/session.save-path
;session.save_path = "/var/lib/php"
session.save_path = "/tmp"

I would have preferred to leave it stock and not dump session info into /tmp, and now that I'm looking at it with less desperate eyes it seems that I might have been able to avoid the problem altogether by setting the mode directive to something like 666 or 755.

But I'll tell ya, anything was better than having to run the cronjob by hand 10 or fifteen times a day until we got a fix, LOL!

Maybe I'll play with that later when things are slow. I only have one license so I don't have the luxury of a HostBill development/staging server. Whenever I prepare for changes I have to take everything offline for a few minutes, cross my fingers that I won't need to take even more time to perform a backup, and then open the port on the firewall again to return to production.

Quote from: Enterprisevpssolutions on May 17, 2013, 02:39:37 AM
I have my twitter module working fine https://enterprisevpssolutions.com/evdsportal/ It posts new updates when i make them. If you are running cpanel and suphp you would want all the files owned by the user you can use this script to fix that for one account or all of them http://boomshadow.net/tech/fixes/fixperms-script/

I'm wondering if HostBill wasn't designed primarily to run with Apache configured for suPHP handler. The reason I mentioned the cron issue above, is that suPHP was one solution I read about when googling.

And the fact that your twitter plugin works too - and you're using suPHP. I'll venture a guess your auto-upgrade works flawlessly too?

My current setup uses DSO, and the machine our HostBill install is on doesn't share any resources with customer data. I'm somewhat of the mind, or at least under the impression, that you take a pretty good performance hit when you run suPHP. In fact, I've never used suPHP, but I have used FastCGI on several machines in the past to actually increase performance in some scenarios. Things like Interchange (and old shopping cart system once funded by Redhat) and OpenWebMail use FastCGI.

When it comes to cPanel on CentOS, I get the impression that suPHP may really be the way to go, although I haven't rolled out any cPanel hosting yet for customers. All the websites I've been hosting over the years have been strictly sftp and I just add an include line in httpd.conf for another vhost-username.conf. for the htdocs DocumentRoot I simply put that in /etc/skel so it's created by default when a user account is created.

for security, I set all the perms in the user dirs to 707 on those machines, and since the group ownership is set to the "users: group, i.e., joeuser:users, the other users don't have any access to any other users directories.

Call me olde skool, lol, but I am looking forward to deploying cPanel services for automated signups for webhosting via either HostBill, or even WHMCS or Blesta, which we also have licenses for. My main sales guy can't live without it, and can barely find his way around a shell, and nowadays, most users freak if you tell them to drop their BIND db files into their ~/named/ directory and HUP the nameserver anyway.

I followed links in that article you provided to the thread at WHT and I'm very impressed with it. suPHP isn't a problem really, since I can simply throw as much resources in the form of RAM and CPU to the shared hosting machines anyway, and in looking over that script it appears really dreamy.

Besides, I have a few customers who are providing shared webhosting services themselves w/cPanel on CentOS, and I'm often at a loss when they ask me a question. Someone opened a ticket and asked a question the other day about "sub-domains", and since it was me who answered the question, I started explaining to her about NS RRs and how to delegate authority to a child zone - later that day, one of my techs explained to me that in cPanel lingo, sub domains are really sub-domains, but rather, merely subdirectories with another A RR for that virtualhost.

I didn't know whether I was supposed to feel stupid or if the folks at cPanel should apologize to their customers for lying to them about what a sub domain really is LOL!

Thanks and kudos to both of you. I'm so glad we have these forums here. And once I'm completely certain I have everything correct and running optimally, I'll do a little Mini-HowTo write up on exactly the steps I follow for an installation.

Kindest regards,

UCG_Keith · May 17, 2013, 09:31:21 AM

HI Bradley,

For what its worth, we built our hostbill on CenTos/cPanel with suPHP. We also have an isolated dbs server for our HB install and have not seen any performance issues. We are running with 5.32GhZ CPU (2 2.66 Xeon E5620 processors) and 4GB RAM on the App server and database server.

Additionally, we also have twitter working and auto updates work as designed. Regarding the template_c, attachments, download directories; we have them sitting in the /home/USERNAME/hb/ outside of public_html and new directories are not created during an auto update.

Cheers,
Keith

Enterprisevpssolutions · May 17, 2013, 02:02:23 PM

Suphp I believe is better and more secure than the other options also I have modsecurity added and my performance hasn't dropped. I have had hostbill on webmin/virtualmin before moving everything to centos/cpanel and if anything since moving its seems faster and much more stable. Even better i have it running on my own cloud vm setup so its HA on the hardware side, use ssd drives for your mysql databases and the performance will increase. I believe its all on how you build your setup from the ground up with hardware in mind you have to know what you would use in resources before you build it. If you have a lot of traffic I would look to switching to nginx as it handles the load 10X better than apache I just never got a chance to fully test hostbill with nginx it is on my to do list.

tallship · May 20, 2013, 01:48:26 AM

Quote from: UCG_Keith on May 17, 2013, 09:31:21 AM
HI Bradley,

For what its worth, we built our hostbill on CenTos/cPanel with suPHP...

Additionally, we also have twitter working and auto updates work as designed. Regarding the template_c, attachments, download directories; we have them sitting in the /home/USERNAME/hb/ outside of public_html and new directories are not created during an auto update.

Thanks Keith, that's really interesting. A couple of times it was almost tempting enough for me to consider the CentOS/Cpanel install too.

I'm seeing a pattern here. From what I've observed, or at least noticed, it seems that people who have auto-update working out of the box have their HostBill installed on CentOS/cPanel. I was wondering for a bit if that had anything to do with the twitter module working too, and started worrying about other broken things in my install.... But there's more

Quote from: Enterprisevpssolutions on May 17, 2013, 02:02:23 PM
Suphp I believe is better and more secure than the other options... Even better i have it running on my own cloud vm setup so its HA on the hardware side, use ssd drives for your mysql databases and the performance will increase.

I've been using Apache for so long... I do need to play more w/nginx though. You're using the CentOS/cPanel method too. I know CentOS/RHEL/Scientific perms out of the box are different that some of the others, and again, I'm thinking this has something to do with auto-updates working out of the box.

I don't have any SSD drives yet, but I'm in an HA environment (vSphere 5.10 at the moment for the machine running HostBill over Slackware64 -current), And I've just recently finished migrating to OMV from OpenFiler for my iSCSI SANs. If anyone hasn't checked out OMV, do it, it's really kewl. If you're looking for the iSCSI, it's a plugin

When using block level devices you don't need to concern yourself with a bunch of RAM, but most of my SANs are running on VMs w/about 12 or 16GB RAM anyway - way more than enough. 4GB would be fine as long as you don't get carried away with any NAS related file related things like NFS, or SAMBA stuff.

I'm very interested in utilizing SSD storage for things like databases, but for the moment I think I'm doing okay because the hypervisor hosts for all of my SANs are RAID 0+1 w/hot standby drives. Yah I know some think that's a waste of good space but I have the hardware level redundancy and nothing (except for SSDs of course) kick major butt like RAID 0+1 or RAID 10.

Quote from: Lawrence on May 17, 2013, 01:32:03 AMI've enabled the twitter module in a default install, and on my website. It seems like it is indeed an issue with HostBill and should qualify as a bug. A colleague of mine also tried enabling it. It's enabled, and Twitter is nowhere to be found.

The Twitter module is broken, so it's not just you. Just tested in 3 different environments, all different file permissions, and all different versions starting from the latest branch series through current.

Okay I said there was more

Completely by accident, I discovered the Twitter module does indeed work for me if I use either the *default*, *nextgen*, or *nextgen_clean* Client Area templates.

If I choose the sidepadtheme or modernpanel it doesn't work. Maybe Patrick will come up with a work-around, or perhaps it works with those templates too for other folks here. I really don't know.

If you want to see if you can reproduce and verify my findings and submit the bug report Lawrence, I'll be happy to +1 it if you post the link back here.

As trivial a module the Twitter module is, I really think it adds a lot value and bang for the buck in the way of branding and approachability from the customer's perspective.

Anyway, thanks everyone, for all the feedback. I am interested in checking out suphp, but I sure wish I had a second copy of HostBill to devel/stage with. Any testing I want to do requires me taking everything offline for the duration of time spent on testing, switching host and dir on the license server etc.

Perhaps there's a silver lining though... hm... Maybe I should start looking around on eBay for people dumping HostBill licenses - after all, there is an awful lot of people that are so disgusted with the developers juvenile antics that I just might be able to find one for really cheap

Kindest regards,

tallship · May 21, 2013, 08:37:29 AM

Quote from: Lawrence on May 17, 2013, 01:32:03 AMThe Twitter module is broken, so it's not just you. Just tested in 3 different environments, all different file permissions, and all different versions starting from the latest branch series through current.

I noticed that the twitter was working for me as soon as I switched away from the sidepadtheme to either nextgen, nextgen_clean, or default; but it isn't displaying anything in modernpanel either.

Maybe Patrick will have some pointers on fixing that over the next couple of days or so.